Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 23:53
Static task
static1
Behavioral task
behavioral1
Sample
7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
Resource
win7-20240903-en
General
-
Target
7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
-
Size
96KB
-
MD5
c44cdf5463ca0606e35f53d6fba274b2
-
SHA1
e0209a5260253ae6581e0a6b34daf683e1f3bc63
-
SHA256
7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1
-
SHA512
72e316391de38d54cf2954cbc5be34585b2486387d87868219aecefcc42c51b9601658940997a4f174975c3ad42ec3cf7c19662fb803741f56b8517fd04ad39b
-
SSDEEP
1536:YnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:YGs8cd8eXlYairZYqMddH13B
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 3936 omsecor.exe 4672 omsecor.exe 2160 omsecor.exe 3168 omsecor.exe 3468 omsecor.exe 2816 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4120 set thread context of 1484 4120 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe 83 PID 3936 set thread context of 4672 3936 omsecor.exe 88 PID 2160 set thread context of 3168 2160 omsecor.exe 108 PID 3468 set thread context of 2816 3468 omsecor.exe 112 -
Program crash 4 IoCs
pid pid_target Process procid_target 1896 4120 WerFault.exe 82 1748 3936 WerFault.exe 86 1472 2160 WerFault.exe 107 3868 3468 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4120 wrote to memory of 1484 4120 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe 83 PID 4120 wrote to memory of 1484 4120 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe 83 PID 4120 wrote to memory of 1484 4120 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe 83 PID 4120 wrote to memory of 1484 4120 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe 83 PID 4120 wrote to memory of 1484 4120 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe 83 PID 1484 wrote to memory of 3936 1484 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe 86 PID 1484 wrote to memory of 3936 1484 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe 86 PID 1484 wrote to memory of 3936 1484 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe 86 PID 3936 wrote to memory of 4672 3936 omsecor.exe 88 PID 3936 wrote to memory of 4672 3936 omsecor.exe 88 PID 3936 wrote to memory of 4672 3936 omsecor.exe 88 PID 3936 wrote to memory of 4672 3936 omsecor.exe 88 PID 3936 wrote to memory of 4672 3936 omsecor.exe 88 PID 4672 wrote to memory of 2160 4672 omsecor.exe 107 PID 4672 wrote to memory of 2160 4672 omsecor.exe 107 PID 4672 wrote to memory of 2160 4672 omsecor.exe 107 PID 2160 wrote to memory of 3168 2160 omsecor.exe 108 PID 2160 wrote to memory of 3168 2160 omsecor.exe 108 PID 2160 wrote to memory of 3168 2160 omsecor.exe 108 PID 2160 wrote to memory of 3168 2160 omsecor.exe 108 PID 2160 wrote to memory of 3168 2160 omsecor.exe 108 PID 3168 wrote to memory of 3468 3168 omsecor.exe 110 PID 3168 wrote to memory of 3468 3168 omsecor.exe 110 PID 3168 wrote to memory of 3468 3168 omsecor.exe 110 PID 3468 wrote to memory of 2816 3468 omsecor.exe 112 PID 3468 wrote to memory of 2816 3468 omsecor.exe 112 PID 3468 wrote to memory of 2816 3468 omsecor.exe 112 PID 3468 wrote to memory of 2816 3468 omsecor.exe 112 PID 3468 wrote to memory of 2816 3468 omsecor.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe"C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exeC:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 2528⤵
- Program crash
PID:3868
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 2926⤵
- Program crash
PID:1472
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 2884⤵
- Program crash
PID:1748
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 2882⤵
- Program crash
PID:1896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4120 -ip 41201⤵PID:4076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3936 -ip 39361⤵PID:1508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2160 -ip 21601⤵PID:3916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3468 -ip 34681⤵PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD53f64a5ea07124ad3eb526ed18790bd50
SHA1cd6dd1692041995bcbe15c4804afac3b36559edf
SHA256aca34b6f8e538bdf07d275810ec95fabcadd27b842703676de5fe1bad288a668
SHA512c3ae7bd232b501c0992d55da95da27a0df2ff26af508d51a2930f7e1952858d953363d42eae0a8b4b36e906b9d7632e9acdf5e9b5d02b112d88963471a1394cb
-
Filesize
96KB
MD5a42941588f9c7f3e8d6c0f37ffc441a1
SHA1108d0dc9f793762e5b67ec0cec3f80884d55e43b
SHA25659a952763aa384b0c2c1e6d9017a22fb85aef0e13ab18431c63eb215d3f5f6be
SHA51290aac23129a9cc945957e334fb126fbac6968620fab7857a8a23e3010440e576c24638c038344263ea2b6595520dc66036e5ccf59c93df76c750faaec45cb775
-
Filesize
96KB
MD513d917dea739bfc45c3cd08a42d00fa8
SHA16e6430f9490785868652fde3f9b6196130ed9d9a
SHA2569beefa7d0891866307c7e59d6874386246dc893de1b60d9c61e1976f279e264c
SHA51287d78e7fe261570f81bf50b36920a25dad6e3a7b54a77d00a697f853b0087690ba490f0c719fa859e884b0cfbfd1f01e127ff21b675f27eaed40dcc770844a9d